Host computers, including servers and client computers, are typically interconnected to form computer networks. A computer network, and more generally a communications network, is a group of devices or network entities that are interconnected by one or more segments of transmission media on which communications are exchanged between those network entities. The communications can be transmitted electrically, including wireless links, or optically. The computer networks typically further comprise separate network communications devices, such as routers, switches, bridges, access points, and hubs, for transmitting and relaying the communications between the network entities, through the network's mesh.
Computer networks are typically classified by their size or by the type of entity that owns the network. Often, business organizations maintain large computer networks. These computer networks are referred to as enterprise networks. Enterprise networks are typically connected to other enterprise networks or home networks via service provider and public networks.
At the enterprise, service provider, and public network scale, network management systems are used to monitor and manage the networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches. One specific example is NetFlow technology offered by Cisco Systems. Other tools include special-purpose systems, such as firewalls, that are typically used to manage the communications at boundaries between the networks.
Both firewalls and network management systems allow the network administrator to apply security policies. Policies are typically used to govern or dictate how entities are allowed to communicate over the network. These policies can be applied to entities individually, by setting operating parameters of devices separately. Policy-based management systems have simplified configuration of devices by allowing administrators to define a policy and apply this policy across groups of network entities, generally.
A policy is a collection of rules. A rule can, for example, govern what traffic a particular firewall ignores or prevents/blocks. Other rules can govern whether a given address or device can access a particular service or network resource. The rules can also be applied by routers that decide whether to forward packets from or to a particular address.
Unfortunately, these policy-based management systems have limitations in the types of policies that can be defined and/or implemented, being typically limited to lower layers of the communications stack.
The process for abstracting the dataflow between the network entities is typically articulated in the context of the OSI (Open Systems Interconnection) model communications stack. The lowest layer describes physical layer functions such as the transmission of bits over the communication medium, activation/deactivation of the physical connection, use of idle conditions, control bit generation/detection, start and stop, and zero bit insertion. These functions are requested by data link layer functions, which control the transmission of packets over a logical communications link. Other data link functions include establishing/releasing logical connections, error detection, correction, and recovery, in conjunction with the delimiting of transmitted packets.
At the next higher level of abstraction is the network layer. Functions here include the transfer of data units or packets between two transport entities. Further, at this layer, routing through the network is determined, including segmenting or combining packets into smaller and larger data units, the establishment, maintenance, and relinquishment of end-to-end logical circuits, and the detection and recovery from errors. Network management activities often take place at the network layer and data link layer.
Then, the transport layer functions to handle the transmission of complete messages between network entities. At this layer, sessions between the network entities are established and then taken down. This layer ensures the correct sequence of packets, partition, and combination of messages into packets, and the control of data flow to avoid network overload.
The session layer organizes and synchronizes the dialog that takes place between applications running on network entities. This provides a one-to-one correspondence between a session connection and a presentation connection at a given time. It provides for session continuity, even when transport connections may fail.
Finally, at the two highest levels of abstraction, the presentation layer provides independence from differences between data presentations, such as encryption, by translating from application to network format, and back; and the application layer supports application and end user processes. However, user authentication and privacy are also considered and any constraints on data syntax are identified. At this layer, communication is application-specific.
Network security policies typically control the relatively low layers in the OSI model, such that the policies' rules usually govern the operation of the data link and network layers, only. In case of a firewall, a policy defines types of network communications through the firewall that are authorized and types of network accesses that are unauthorized, typically based on media access control (MAC) and internet protocol (IP) addresses. Administrators define a policy for access between external systems to the enterprise network and the network entities on the network and then use the firewall to enforce that policy.
Recently, systems have been proposed and deployed that enable automatic definition of policies. For example, as described in U.S. Pat. Publication No. US2004/0103211 A1, entitled “System and Method for Managing Computer Networks”, filed Nov. 21, 2002, by Jackson, et al. traffic in a computer network is monitored. The collected flow information is then used to create a network policy for hosts on the network. This is done automatically by the system, which arranges the hosts into hierarchical clusters, based upon similarity values that are determined by the system.
More recently, as described in U.S. application Ser. No. 10/684,964, filed on Oct. 14, 2003, entitled “Method and System for Reducing Scope of Self-Propagating Attack Code in Network”, by Thomas H. Ptacek, et al., systems for establishing a pervasive policy have been proposed. These systems rely on the deployment of firewall or firewall-like devices to compartmentalize the enterprise or service provider network. This allows for the tracking of communications through the network, at the enterprise or service provider scope, and, by using previously defined policies, the selective closing down of communications between the compartments to confront or mitigate network attacks, while allowing authorized communications to continue.
In contrast, authentication security systems employ higher layers in the OSI stack. These typically run on the network entities themselves. They function to ensure that someone or something is, in fact, who or what it is claiming to be.
One example is a protocol referred to TACACS. This acronym stands for Terminal Access Controller Access Control System. It is an authentication protocol that was developed by the Defense Data Network (DDN) community. It provides for remote access authentication and related services, such as event logging. User passwords are administered in a central database, rather than on individual routers or server computers, for example. This provides for a scalable network security solution.
Another authentication protocol is Remote Authentication Dial-In User Server/Service (RADIUS). It has been commonly deployed in dial-up networks and is used by many network access server (NAS) vendors. This authentication program allows the NAS to offload user administration to a central server.
Lightweight Directory Access Protocol (LDAP) and the Active Directory® authentication system are systems used by networking systems produced by the Microsoft Corporation. These protocols and tool replaced an older system referred as Network Basic Input/Output System (NETBIOS), which includes authentication functions as part of NETBIOS communications suite.